Control: tags 22 + pending
Dear maintainer,
I've prepared an NMU for xdg-utils (versioned as 1.1.0~rc1+git20111210-7.4) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/changelog xdg-utils-1.1.0~rc1+git20111210/debian/changelog
--- xdg-utils-1.1.0~rc1+git20111210/debian/changelog 2015-01-10 16:22:21.0 +0100
+++ xdg-utils-1.1.0~rc1+git20111210/debian/changelog 2015-02-20 16:28:35.0 +0100
@@ -1,3 +1,13 @@
+xdg-utils (1.1.0~rc1+git20111210-7.4) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Add CVE-2015-1877.patch patch.
+CVE-2015-1877: Command injection vulnerability due to local variables
+collision.
+Thanks to Jiri Horner laeq...@gmail.com (Closes: #22)
+
+ -- Salvatore Bonaccorso car...@debian.org Fri, 20 Feb 2015 16:24:18 +0100
+
xdg-utils (1.1.0~rc1+git20111210-7.3) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch 1970-01-01 01:00:00.0 +0100
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/CVE-2015-1877.patch 2015-02-20 16:28:35.0 +0100
@@ -0,0 +1,33 @@
+Description: CVE-2015-1877: Command injection vulnerability due to local variables collision
+Origin: vendor
+Bug: https://bugs.freedesktop.org/89129
+Bug-Debian: https://bugs.debian.org/22
+Forwarded: yes, https://bugs.freedesktop.org/show_bug.cgi?id=89129
+Author: Jiri Horner laeq...@gmail.com
+Reviewed-by: Salvatore Bonaccorso car...@debian.org
+Last-Update: 2015-02-20
+
+--- a/scripts/xdg-open.in
b/scripts/xdg-open.in
+@@ -128,16 +128,16 @@ open_generic_xdg_mime()
+
+ DEBUG 3 $xdg_user_dir:$xdg_system_dirs
+ for x in `echo $xdg_user_dir:$xdg_system_dirs | sed 's/:/ /g'`; do
+-local file
++local desktop_file
+ # look for both vendor-app.desktop, vendor/app.desktop
+ if [ -r $x/applications/$default ]; then
+- file=$x/applications/$default
++ desktop_file=$x/applications/$default
+ elif [ -r $x/applications/`echo $default | sed -e 's|-|/|'` ]; then
+- file=$x/applications/`echo $default | sed -e 's|-|/|'`
++ desktop_file=$x/applications/`echo $default | sed -e 's|-|/|'`
+ fi
+
+-if [ -r $file ] ; then
+-set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' $file)
++if [ -r $desktop_file ] ; then
++set -- $(sed -n 's/^Exec\(\[[^]]*\]\)\{0,1\}=//p' $desktop_file)
+ command_exec=$(which $1 2 /dev/null)
+ if [ -x $command_exec ] ; then
+ shift
diff -Nru xdg-utils-1.1.0~rc1+git20111210/debian/patches/series xdg-utils-1.1.0~rc1+git20111210/debian/patches/series
--- xdg-utils-1.1.0~rc1+git20111210/debian/patches/series 2015-01-10 16:20:40.0 +0100
+++ xdg-utils-1.1.0~rc1+git20111210/debian/patches/series 2015-02-20 16:28:35.0 +0100
@@ -9,3 +9,4 @@
fix-bashism-use-of-echo.patch
command-injection.patch
xdg-open-safe.diff
+CVE-2015-1877.patch